Cyber personnel, procurement problems plaguing government IT efforts

Could the federal government’s cybersecurity woes be solved with a trip to Best Buy?

Though Rep. Jason Chaffetz (R-Utah) was kidding about the shopping spree, the ranking member said he’s serious about bringing the government into the 21st century to avoid another Office of Personnel Management-level data breach.

Speaking at a Sept. 7 panel hosted by AEI in Washington, Chaffetz said outdated infrastructure and a deficit of cyber personnel continue to plague federal agencies.

“What I see a lot of happening, is we take people who are good, educated, they’re excited and they’re getting jobs. Then we’re dumbing them down to 1960’s technology,” Chaffetz said. “We’re trying to recode and play defense. We have literally thousands of people that would be better deployed with newer technologies. And the acquisition process … we’re slow; we’re slow to get to the next generation of things. It’s a problem, it’s a real problem.”

Advertisement

Chaffetz’s warning comes on the heels of a new report from the Republican majority of the House Oversight and Government Reform Committee. Chaffetz chairs the full committee.

In the more than 200-page report, investigators say outdated technology and a failure on the part of former leadership at OPM were major factors in the 2014 and 2015 cyber attacks, which jeopardized the personal information of more than 21 million federal employees and their families.

Rep. Elijah Cummings (D-Md.), ranking member of the committee, said in a statement that the report reaches conclusions that don’t line up with the facts found during their investigation.

“The committee’s year-long investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed,” Cummings said.

Acting OPM Director Beth Cobert sent an email Sept. 7 to employees, advising they would likely see reports on the committee’s investigation, but highlighted the agency’s progress in the year since the breach.

“We have strengthened our legacy technology systems while developing a new, modern IT infrastructure, which will provide a secure environment for OPM well into the future,” Cobert said. “We are working with our partners at the Department of Defense who are designing, building and will operate the IT infrastructure for the new National Background Investigations Bureau.”

“Thank you to each and every member of the OPM team — both to those who have been on the front lines of dealing with the aftermath of the intrusions and those who have continued to help this agency deliver on its core missions,” she added.

Chaffetz in his speech credited Cobert’s work since taking on the role of acting director, but was critical about the agency’s former leadership and its processes for handling the breaches.

“While OPM is trying to press the reset button to kick out the first attacker, the starting reality is the second, likely-related attacker was already roaming undetected in their system,” Chaffetz said. “OPM leadership could have prevented or significantly mitigated the damage the country eventually incurred if in March of 2014, it had immediately secured the most valuable data, including possibly shutting down the system  — pull the plug out for goodness’ sake — and deploy cutting-edge preventative cyber tools. Fully implementing enforce-based security access controls like multi-factor authentication would have seriously limited the adversary’s ability to move around the network, perhaps even delaying the adversary long enough to prevent the exfiltration of the data.”

The investigation determined that OPM’s lack of updated IT infrastructure and adoption of security controls like multi-factor authentication and encryption created an environment ripe for hacking.

The report also acknowledged the work done by CyTech and its CyFIR (forensics and incident response) tool and Cylance, and claims OPM did not repay the company — or did not do it in a timely fashion — for their work in identifying malicious activity related to the breaches.

Cyber personnel

Among some of the recommendations made by the report to avoid that happening again is a zero trust IT security model.

Unlike a hall pass from elementary school, Chaffetz suggested, which allows someone to move freely after one or two validations, a zero trust model assumes anyone on either side of a network could be a threat.

Chaffetz said an out of date cyber framework is also a risk for agencies, made even worse by a lengthy federal procurement process that prevents staying current with new technology.

“It is not swift, it is not effective, it is not efficient,” Chaffetz said. “In the world of cybersecurity it sometimes will be generations after new technology has actually come and gone.”

And even once that framework is in place, it’s hard to hire and retain personnel to run it.

“Let’s make good, smart decisions and have them well thought out,” Chaffetz told Federal News Radio. “They’ve got to speed up the process. We’re in the 2000’s here. The paradigm has really, truly changed. And then have the personnel in place. That’s going to be one of the hardest parts of the equation. You get new technology but you don’t have the person to run it.”

Chaffetz said there’s no easy solution to the cyber personnel side of the problem, but the report does make recommendations. Those recommendations include:

  • OPM, Homeland Security and the Office of Management and Budget mapping the entire cyber workforce across agencies using the National Initiative for Cybersecurity Education (NICE) National Cybersecurity Workforce Framework.
  • OPM, DHS and OMB developing recommendations for federal workforce training and professional development.
  • OPM and OMB collecting special hiring authorities by agency that can be used to hire cyber and IT personnel across the government.

Ben Cotton, founder and CEO of CyFIR, told Federal News Radio that there needs to be a streamlined process for acquiring IT, or else the government risks being “totally left in the dust from a security capabilities standpoint.”

Cotton also said the report validated the company’s technology.

“Overall the report is extremely welcome in that it accurately depicted what CyTech and CyFIR’s role was in detecting malware inside the network,” Cotton said.

In a statement from Cylance founder and CEO Stuart McClure, he said it was “an honor to have been able to help stop and clean up this vicious attack.”

“The OPM breach, and countless others like it, is exactly why we were compelled to apply artificial intelligence to fighting hackers, whether state actors, rogue hackers, organized criminal groups, or cyber terrorists,” McClure said.